Businesses Struggle to Manage Information Security Risks Created by Unauthorised Technology Use

Information security professionals are warning businesses about the growing risks associated with unauthorised software, cloud services and artificial intelligence tools being used by employees without formal approval or oversight. The phenomenon, often referred to as "shadow IT", is emerging as one of the most significant information-security challenges facing organisations across multiple sectors.

Industry assessments suggest that employees are increasingly adopting third-party applications, online collaboration platforms, file-sharing services and AI-powered productivity tools to improve efficiency and overcome operational constraints. While these tools can provide genuine business benefits, security experts warn that many are being introduced without proper risk assessment, contractual review or technical controls.

A spokesperson for the National Cyber Security Centre said organisations need to understand what technology is being used across their operations if they are to manage information risks effectively. “Businesses cannot protect systems or information assets they are unaware of. Visibility and governance remain fundamental to maintaining security.”

Security consultants report that shadow IT often develops when employees perceive approved systems as slow, restrictive or unsuitable for their needs. In many cases, individuals are attempting to solve operational problems rather than deliberately circumvent security requirements. However, the result can be sensitive information being uploaded to unapproved platforms or shared through services that lack appropriate safeguards.

“Most shadow IT does not originate from malicious intent,” said Rachel Morgan, an information-security adviser working with commercial organisations. “Employees want to be productive. The problem is that business data can quickly spread into systems that have not been assessed for security, privacy or regulatory compliance.”

Recent audits have identified examples of confidential documents being stored in personal cloud accounts, project information being shared through consumer messaging applications and business data being entered into publicly available AI tools. In some organisations, security teams were unaware these services were being used until an audit or incident investigation revealed them.

The challenge is becoming more complex as AI adoption accelerates. Many businesses are still developing governance frameworks for artificial intelligence while employees are already experimenting with a growing range of tools. Security professionals warn that organisations may inadvertently expose sensitive information if employees upload customer data, intellectual property or internal business information into systems outside organisational control.

Industry bodies say the issue highlights the need for stronger collaboration between business functions and IT teams. Rather than simply restricting access, some organisations are focusing on providing secure alternatives that meet operational requirements while maintaining appropriate controls.

Several businesses have responded by introducing technology-approval processes, improving awareness training and expanding monitoring of software and cloud-service usage. Others are carrying out formal reviews to identify previously unknown applications and assess associated risks.

Morgan added: “The organisations that manage this challenge successfully are the ones that recognise why shadow IT appears in the first place. Security cannot be achieved through prohibition alone. Businesses need governance, visibility and practical solutions that enable people to work effectively without creating unnecessary risk.”

As digital transformation and AI adoption continue to accelerate, unauthorised technology use is expected to remain a key area of focus for auditors, regulators and customers. For organisations operating information-security management systems such as ISO 27001, demonstrating control over technology adoption and information flows is becoming an increasingly important part of maintaining trust and managing risk.

A message from our sponsors, The Ideas Distillery: 

If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).